By: Brian Behlendorf (OpenSSF), Michael Scovetta (Microsoft), and Michael Winser (Google)
As part of the OpenSSF’s continued investment in critical open-source projects, we are pleased to announce that the OpenSSF’s Alpha-Omega Project has committed to $800,000 in funding split equally among the Python Software Foundation (PSF) and the Eclipse Foundation to fund critical security roles. We are also happy to announce that the Secure Open Source Rewards pilot program will be managed by the Alpha-Omega Project.
Python Software Foundation Funding
Python consistently ranks as one of the most popular programming languages, used widely for web development, scientific computing, artificial intelligence and machine learning, amongst many other uses. As such, security improvements for the Python ecosystem will have a tremendous impact for all Python users and for the open source community as a whole.
The Python Software Foundation (PSF) is a non-profit whose mission is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. In addition to maintaining Python the language, the PSF owns and operates the Python Package Index (PyPI), which is critical open-source infrastructure, and produces PyCon US, the longest-running Python conference.
OpenSSF’s Alpha-Omega Project has committed to $400K to the Python Software Foundation (PSF), in order to create a new role which will provide security expertise for Python, the Python Package Index (PyPI), and the rest of the Python ecosystem, as well as funding a security audit.
This investment will enable the PSF to formalize existing security practices and to make more proactive security improvements. The new role will be responsible for identifying and addressing security issues across PSF projects such as CPython and PyPI, and applying full-time knowledge and expertise along with volunteers to implement key improvements in a timely manner.
Eclipse Foundation Funding
Open source software is the single most important engine for innovation today. The ability to freely combine software components, frameworks, and platforms frees developers from constantly reinventing the wheel and allows them to focus on the new innovations that users want. Free software also enables business models to scale in ways that proprietary software would never allow. Globally and in all sectors of the economy, building on top of open source software is the dominant approach to delivering successful software systems today.
The Eclipse Foundation provides its global community of individuals and organizations with a mature, scalable, and business-friendly environment for open source software collaboration and innovation. The Foundation is home to the Eclipse IDE, Jakarta EE, and over 350 open source projects, including runtimes, tools, and frameworks for a wide range of technology domains such as the Internet of Things, automotive, geospatial, systems engineering, and many others.
OpenSSF’s Alpha-Omega Project has committed $400K to the Eclipse Foundation to fund additional staff and resources to roll out many of the ideas in the Open Source Software Supply Chain Best Practices document. This includes automating the generation of static source-based SBOMs for all Eclipse Foundation project repositories, implementing a SLSA-based project badging program for Eclipse Foundation projects, and initiating security audits for high-profile Eclipse Foundation projects.
SOS.dev Moves Under Project Alpha-Omega Umbrella
The Secure Open Source Rewards pilot program financially rewards developers for enhancing the security of critical open source projects on which we all depend. SOS rewards a broad range of improvements that proactively harden critical open source projects and support infrastructure against application and supply chain attacks. To complement existing programs that reward vulnerability management, SOS’s scope is comparatively wider in the type of work it rewards, in order to support project developers.
Established in 2021, SOS.dev’s mission has aligned so well with that of Alpha-Omega, we’re happy to be able to provide additional process improvements and oversight to accelerate rewards through the program.
Critical Open-Source Ecosystem Investments
We’re incredibly excited about these investments in this critical open-source ecosystem. This announcement follows a similar recent investment in the OpenJS Foundation, and is just the start of more to come.
The success of OpenSSF is due to the contributions and support of the developer community and member companies. To learn more about how you can join your industry peers in supporting OpenSSF, please fill out this form to be contacted by an OpenSSF representative. To support the OpenSSF as an individual contributor, see the many ways you can also get involved in the OpenSSF.